Wednesday, November 15, 2006

Simple security design review steps

Know the applicationEvery computer application, no matter how complex, consists of components that lie in the following categoriesa) Processesb) Data channelsc) Data storesd) Interactors[Readers familiar with DFDs or data flow diagrams will instantly recognise that these categories.] Start out by decomposing the system into smaller components and start creating DFDs of the same. Creating the DFDs will help the reviewer in the following way:

Will give you a deeper understanding of the system.

Will force application teams to think about their application and stimulate security discussions even before the security review begins!

Create the DFDs until you (the reviewer) have a fairly good understanding of the system. I would recommend that you draw these diagrams 'online' with the app teams. This allows the app team to correct your thinking as you move on. Dont strive for 100% familiarization with the application.

Identify ThreatsBehavioural TipsDo not adopt an extremist stance when identifying threats. Do not give the app teams the impression that you are policing and judging their application. Remember, you goal is to prise out as much as possible from the app team. They are your best source of threats! Dont start out with "Do you realize that your application can be attacked in this manner?". Instead say something like, "Lets try and find out how the application responds to this threat.".

Technical TipsI have come to realize after no matter what your threat, they will always lie in one or more of the following categories:

Loss of confidentiality - Data ends up getting read by someone other than the intended user.

Loss of integrity - Data has been tampered with and the system (or user) can no longer trust the data.

Loss of availability - The application has gone for a toss and is no longer providing the expected quality of service (sluggish or totally down system)

Damage of the contract between a user and his credentials - This manifests in the form of repudiating (user denying having carried out certain operations), impostoring (user forging as someone else or worse still, getting through without authenticating to the system)

The AppSec Guy

Jesus Christ, the Son of God became the Son of Man so that the sons of men may become sons of God. I, by the mercy and grace of Jesus Christ, am humbled that God is my Father. Greetings in His matchless name.